Hi Ertan, There is a permission system in BaseX, pleae take a look at our documentation at https://docs.basex.org/wiki/User_Management You can i.e. create an user with only read permission and this will forbid the execution of functionality, which requires higher privileges, i.e. file:list() requires create privileges and an execution would be impossible for an user with only read permissions. Cheers, Dirk On 08/27/2013 05:10 PM, Ertan Tike wrote:
Hi,
We are providing an cloud based application development environment with using the basex database. We want to allow developers can write xquery commands to access database but some security issues has appeared.
For example " file:list('c:/') " query returns the list of C:\ directory.
Is it possible to exclude some of modules from basex engine or is there any other way to execute query in sandbox environment which allows only FLWOR expressions and basic modules like "Math".
Scanning "file:" like prefixes may be a solution but maybe there is a better way to do it.
Thank you for help.
_______________________________________________ BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
-- Dirk Kirsten, BaseX GmbH, http://basex.org |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22